Expert answer:IT RISK and SECURITY QUestions

Solved by verified expert:Attached are the quesitons and all materials needed to answer the questions.zip folder has all required documents, question document is the one need to do itsecurity in computing pdf is the book for this class. No answer from google please, answer should be from books, pdfs and powerpoint slides.
class_documents.zip

questions.docx

sample_case_study.docx

security_in_computing__5th_edition.pdf

Unformatted Attachment Preview

Questions :
1. Sarbanes-Oxley contains 11 titles that describe specific mandates and requirements for
financial reporting. Which title enforces IT security controls and explain how these
controls can be implemented to protect banking assets.
(5 points)
2. Describe the critical success factors to implement an efficient and effective information
security risk assessment program. (5 points)
3. The GAO Report, Information Security Risk Assessment, identified three methods of
conducting and documenting the assessment. These three methods were discussed in
class. Using the information from the case study provided below identify the pertinent
threats, vulnerabilities, and recommended countermeasures using one of the risk
assessment methods from the GAO Report. (15 points)
Case Study: Recently, the Department of Veteran’s Affairs reported that an employee
took a laptop computer home that contained records of millions of veterans. The
computer was stolen. You were hired as an outside consultant to conduct a risk
assessment and present the results to the Department’s Chief Information Security
Officer so she can prepare for a Congressional testimony.
4. Based on previous discussions in class/online about FISMA, HIPPA, and Sarbanes Oxley
(SOX) security controls, answer the following questions:
a. Your IT enterprise is comprised of both host-based and network-based IDSs,
application gateway firewalls, and VPN-enabled applications to support its sales
department. Identify the security controls that each of technologies implement
and explain how these controls support confidentiality, integrity, and availability.
(10 points)
b. Identify the appropriate security controls that apply to an organization that has
medical applications. Specifically, identify 5 security controls and briefly explain
(1-2 sentences) how these controls help mitigate the risk of inadvertent disclosure
of personal information, modification of data, or the availability of data. (10
points)
c. You report to the CIO for a large financial institution and he tasked you to
develop procedures to implement 5 Access Control mechanisms for the IT
systems. Briefly explain (1-2 sentences for each mechanism) how you would
implement the control. (10 points)
5. Using the Security Target for Bioscript, Version 2.1.3 (see attached document in
BlackBoard), identify the relevant security features for logical and physical access in a
financial institution, and identify how these features would support best security practices
(e.g., FISMA, SOX, or HIPAA). Select 5 security controls. Additionally, explain how
these security functional requirements protect inadvertent disclosure of information,
modification of data, and/or the availability of data. (15 points)
6. Explain which NIST security controls enforce the Principle of Least Privilege.
points)
(5
7. Port scanning allows a user to sequentially probe a number of ports on a target system in
order to see if there is a service that is listening. Explain how effective packet filtering
can deter scanning probes from devices like FIN scanners.
(5 points)
CASE STUDY #2
Based on the FISMA, SOX, and HIPAA (optional) security controls identified from the
assignment readings, use the banking scenario case study previously discussed and
select all of the applicable security controls that could be evaluated for
compliance. Provide a brief rationale how these controls reduce risk.
Your response should be 3-5 typed pages.
Banking Scenario –
A bank clerk stole money from a customer’s account. The clerk changed the
customer’s address to his own, issued an extra card for the account (which he
received), and then changed the address back again. He withdrew money from
ATMs. The customer did not notice the thefts for a long time because of the way
the bank’s system worked: When a customer gets a statement from an ATM (as
the clerk always did), that transaction did not appear on the statement that was
mailed.
Source: Secure Computing, Summers
The more security controls that an organization has the better it is for the company not to
be put at risk. “Security controls are the management, operational, and technical safeguards or
countermeasures prescribed for an information system to protect the confidentiality, integrity,
and availability of the system and its information” (Ross et al., p.1, 2005). In plenty of
organizations small or large people may have access to information that they really do not need
resulting in malicious human-caused harm to most computer security systems. With more
breaches going on in security systems such as the recent equifax attacks the cost of security may
rise in the near future causing companies to expand their percentage on what they spend on
security systems. Since access control affects integrity it is important that organizations identify
the many ways to implement these controls to keep information safeguarded. In the case of the
bank clerk working at Ladder bank we saw that the clerk stole money from a customer’s account
by changing the customer’s address to theirs and changing it back to the his/her original address
without their knowledge. With the clerk having access to an extra card on the account they were
able to make withdrawals from the ATM.
Supervision and review-access control is an important control within the case of the bank
clerk stealing the customer’s account information and using it for his own personal gain.
According to Ross et al., (2005) this control is important in this case because it allows for the
organization to review activity logs by looking at audit records for any inappropriate use,
reviews changes to access authorizations and reviews a user’s activity (Ross et al., 2005, p.44).
This control could have prevented unauthorized access to the customer’s account if they were
keeping up with the reviews/changes and to the user’s frequent activity. Usually when there is a
change of address or something new is ordered on your account you receive a text message or
email notification asking about a recent address change or in this case it can be about an extra
card being ordered to the customer’s account. If the bank had supervision and review as one of
their access controls the teller also could have had limited access to the account from security
questions or locks being placed on the account by looking at the user’s activity and seeing that
something was unusual.
A user’s activity tells a lot about what the person does flagging any suspicious activity.
For example, an account is put on hold when you swipe in a different state versus your card not
being blocked in areas where you work or reside immediately. One frequent block that happens
on card’s is when you spend over a certain amount for the day that the bank is not use to a
customer using in one lump sum. To avoid any fraud from occurring on the account the bank will
call you to verify your transactions or ask you security questions. If the bank looked at audits for
inappropriate use they would have saw that the address to where the extra card was ordered has
never been on file before which should have raised a flag because after it was ordered it was
changed back to the customer’s original address. Yes, a bank clerk does have access to the
information they were able to steal from the customer which made it easier but having the access
control supervision and review could have prevented the clerk from getting away with his
malicious intent so easily.
Assignment responsibility for a written plan and budget can be another way of reducing
the identified risks. The bank appoints an accountable official who will be tasked with
information security. The selected individual should be someone with ultimate oversight over
information policies, security matters, and risk management with accountability rolling up to the
CIO. With this, the CIO will always have an up-to-date information about the security of the
systems and hence any risk will be noticed as soon as it arises and the necessary actions will be
taken. Since data is the very important aspect of the organization, the bank can opt/emphasize on
protecting information rather than the system. Data is very critical to the bank’s agency hence the
bank should work outward to the system and individuals securing that data. This will reduce the
risk by ensuring that even if hackers by-passes the system security, they may not access the data
and if they access it, it should not be of any help to them. This can be done by encrypting the
data in the database.
The bank should note that some risks are acceptable and that the chances of something
missing on a checklist is higher than zero because something will always be found. All members
of staff in the bank including the clerks must come together and implement procedures and
policies that will come up with cost-effective ways of reducing the risks to acceptable levels. All
the thoughts behind the decision must be well documented and every control in other areas
should be compensated. The company will hence be able to concentrate its resources on the most
important areas that may expose the most important/secret information other than spending too
much on protecting the risks that may have no impact on the organization. Another effective
security control is doing a regular reporting. The bank should create a regular reporting plan as it
will provide it with a better insight and increase the effectiveness of its security program. With
regular reporting, any changes will be noticed as soon as it arises and be acted upon before it
results to more serious problems like the one that occurred in the scenario of Ladder bank.
FISMA also recommends compulsory monitoring of available security controls as a
security control itself. The bank should perform a continuous monitoring of certain controls
including system changes, ongoing assessments of security controls, configuration management,
and reporting activities. This will ensure that all security controls are in place and working as
intended. In addition to the above security controls, it will also be important to create and
document some security test controls. The bank should evaluate the controls it has in place at
least two to three times in every year. This will help it in retaining evidence of its evaluations
and findings and also help it to implement a process to remediate its findings. The ownership of
this remediation should be assigned to one staff in the organization. Ladder bank could also
invest on FISMA audit as an impetus to implement a better security. Though this is not much
different from other security control standards, it will provide value to the bank customers, and
data held by the bank. According to Federal Information Security Amendments Act, H.R. 1163,
federal agencies should continuously monitor their IT systems for cyber threats and implement
effective regular threats assessments. With this control security control standard, each
department secretary and agency director will be held accountable for any their organization’s IT
security (Rose, 2008).
Facility Access Controls is another type of security control that should be implemented in
Ladder bank. Through this, the bank will be able to implement an addressable Facility Security
Plan. Facility Security Plan will help the bank implement some security policies and procedures
that safeguard the facilities and bank’s equipment from being accessed by unauthorized users.
This will ensure the facilities are secure from theft and being tampered with.
Also, Facility Access Controls will enable the bank to come up with addressable Access
Control and Validation Procedures. This procedure will be used in validating persons accessing
the facilities based on their function and roles. In addition, the procedures will also control the
visitors who are accesses the software program for test or revision. Validating the persons
accessing the system or the software program will prevent unauthorized users from accessing the
system and interfering with customer information such as accounts and balances.
Device and Media Controls is also an important security control measure that needs to be
implemented in Ladder bank. This will help the bank to back up and retrieve sensitive
information that may be lost in case an equipment breaks down or it is moved. You can imagine
what might happen if the clerk decided to delete customer’s account or the bank loses
information about the customers and their transactions. Having implemented this form of
security control, it will be easier to restore user’s’ information within the shortest time possible.
In addition, Device and Media Controls will enable the bank to implement equipment disposal
procedures which will help it in addressing the final disposition of their exhausted equipment.
These include electronic media such as hard drives that may end up exposing sensitive
information of the organization.
Workstation use controls is another security control measures that needs to be put into
place at Ladder bank. This will help the bank to implement some policies and procedures that
govern the use of computers in the organization. When this type of security control is
implemented within Ladder bank, the clerk will be using their machines based on their role. Any
clerks who use the system for other functions other than the one they are assigned will be
answerable for breaking the rules. Moreover, this control coupled with the Separation of Duties
control will allow Ladder bank to prevent unauthorized access to information in which the bank
clerk was able to gain and use. According to Ross et. al, 2005 this control will, establish
appropriate divisions of responsibility and separates duties as needed to
eliminate conflicts of interests in the responsibilities and duties of individuals, thus allowing
Ladder bank to be able to reduce the risk of integrity by establishing specific roles and access
capabilities for each of their employees.
Furthermore, the Audit Log use control is another requirement that should be
implemented at Ladder Bank. This control will allow employees at Ladder bank to be held
accountable for the information that they have access to. According to the GAISP V3.0 article,
information assets should be controlled and monitored with an accompanying audit log to report
any modification, addition, or deletion to the information assets, revealing that by documenting
what each employee has accessed will allow Ladder bank to see if any breach has been made
earlier than later (GAISP, p.5, 2004). For example, if one of the employees uses their
workstation to access a certain database/system that is not apart of their function, the system will
not only alert the user that access has been denied but will also capture the time, date and
employee id number on an audit log to be reviewed. By capturing this information, a red flag
would have appeared to alert Ladder bank that unauthorized information was attempted to be
accessed and the bank clerk would have been questioned, held accountable and if need be
terminated to prevent the threat.
In addition, Ladder bank would have to review the audit logs once a month. This is
because each audit review will aide the company in developing a risk assessment in particular
the team risk assessments, in which the information on the audit log is taken and categorized by
severity and probability. According to the GAO: Information Security Risk Assessment
Practices of Leading Organizations, risk assessment teams consider how current
organizational procedure or technical applications may compromise the organization’s
information resources and ultimately damage the company, revealing how the audit logs can help
the company initiate a proposed corrective action to prevent technical applications and usage
from damaging the company’s policy of integrity (GAO, p.21, 1991). For instance, if the audit
log captured the bank teller’s action of trying to access a database that is not of their role and
workstation one month and the next month the audit review notates the same action by the same
bank teller this would allow the risk assessment teams to categorize the loss of
proprietary information high and will also show the likelihood of the scenario happening as
frequently, and the system would produce a corrective action to reduce the risk of confidentiality.
Overall, the more security controls that Ladder Bank has the better it is for the company not to be
put at risk. All of these controls will allow Ladder Bank to be more efficient in safeguarding
their information and reducing the risk of an internal threat and loss of proprietary information.
References
GAO: Information Security Risk Assessment Practices of Leading Organizations. (1991). 1-48.
Retrieved September 15, 2017, from https://blackboard.towson.edu/bbcswebdav/pid-4095496-dtcontent-rid4704787_2/courses/1122AIT612101_105_IHSM621001/Course%20Documents/Class%202%20
-%20GAO%20Report/ai00033.pdf
Generally Accepted Information Security Principles (GAISP) V3.0. (2004). 1–53. Retrieved
September 15, 2017, from https://blackboard.towson.edu/bbcswebdav/pid-4095499-dt-contentrid4704795_2/courses/1122AIT612101_105_IHSM621001/Course%20Documents/Class%203%20
4%20-%20GAISP/GAISP-v30.pdf
Ross, R., Katzke, S., Johnson, A., Swanson, M., Stoneburner, G., Rogers, G., & Lee, A. (2005,
February). NIST: Recommended Security Controls for Federal Information Systems. Retrieved
September 15, 2017, from https://blackboard.towson.edu/bbcswebdav/pid-4095498-dt-contentrid4704793_2/courses/1122AIT612101_105_IHSM621001/Course%20Documents/Class%203%20
4%20-%20SP%20800-53/SP800-53.pdf
About This eBook
ePUB is an open, industry-standard format for eBooks. However, support of ePUB and
its many features varies across reading devices and applications. Use your device or app
settings to customize the presentation to your liking. Settings that you can customize often
include font, font size, single or double column, landscape or portrait mode, and figures
that you can click or tap to enlarge. For additional information about the settings and
features on your reading device or app, visit the device manufacturer’s Web site.
Many titles include programming code or configuration examples. To optimize the
presentation of these elements, view the eBook in single-column, landscape mode and
adjust the font size to the smallest setting. In addition to presenting code and
configurations in the reflowable text format, we have included images of the code that
mimic the presentation found in the print book; therefore, where the reflowable format
may compromise the presentation of the code listing, you will see a “Click here to view
code image” link. Click the link to view the print-fidelity code image. To return to the
previous page viewed, click the Back button on your device or app.
Security in Computing
FIFTH EDITION
Charles P. Pfleeger
Shari Lawrence Pfleeger
Jonathan Margulies
Upper Saddle River, NJ • Boston • Indianapolis • San Francisco
New York • Toronto • Montreal • London • Munich • Paris • Madrid
Capetown • Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this book, and the
publisher was aware of a trademark claim, the designations have been printed with initial
capital letters or in all capitals.
The authors and publisher have taken care in the preparation of this book, but make no
expressed or implied warranty of any kind and assume no responsibility for errors or
omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
For information about buying this title in bulk quantities, or for special sales
opportunities (which may in …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades